On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote: > On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote: > > The school I can test this on is currently powered down due to maintenance > > work on the electric wiring in the building that hosts the server chamber. > > It's on the list... > > do you have an ETA for this? > > currently the next point release is planned for August 31 or September > 7...
We should really get this into 10.1; as the real world test date appears
to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu
networks with buster and stretch workstations against both buster and
pre buster main servers. Everything works like expected; see logs from
various scenarios further below to get the picture.
(Compared to my previous version there are a few cosmetic changes, also
logging has been improved a bit.)
This is the diff against the current version in Git:
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..4a4f5585 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -27,10 +27,10 @@ BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +39,30 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT &&
\
+ grep -v -q 404 $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
$LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle certificate from
www.intern."
+ else
+ rm $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch bundle certificate
from www.intern."
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
@@ -64,6 +76,14 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
@@ -76,16 +96,9 @@ do_start() {
return 1
fi
}
-
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
In all test cases the existing certificates have been removed, then
'service fetch-ldap-cert' has been run twice. The logs are from the
first run. After the second one I checked if the certificates not been
fetched again. They had stayed untouched. I can also confirm that
authentication actually worked afterwards.
(1) stretch workstation against buster main server
Jul 24 14:24:25 ws9mate systemd[1]: Starting LSB: Fetch LDAP SSL public key
from the server...
Jul 24 14:24:25 ws9mate fetch-ldap-cert[2103]: Fetching LDAP SSL
certificate....done.
Jul 24 14:24:25 ws9mate fetch-ldap-cert: Fetched LDAP SSL certificate from ldap.
Jul 24 14:24:25 ws9mate systemd[1]: Started LSB: Fetch LDAP SSL public key from
the server.
(2) buster workstation against jessie main server
Jul 24 12:57:15 am-080027dbce36 systemd[1]: Starting LSB: Fetch LDAP SSL public
key from the server...
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched pre Buster LDAP server
certificate.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert[1998]: Fetching LDAP SSL
certificate....done.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched LDAP SSL certificate
from ldap.intern.
Jul 24 12:57:15 am-080027dbce36 systemd[1]: Started LSB: Fetch LDAP SSL public
key from the server.
(3) buster workstation against buster main server
Jul 24 13:20:15 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public
key from the server...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Fetching LDAP SSL
certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian
Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress =
[email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: i:C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: subject=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: issuer=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: % Total % Received
% Xferd Average Speed Time Time Time Current
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
Dload Upload Total Spent Left Speed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #015 0 0 0 0
0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 3460 100
3460 0 0 259k 0 --:--:-- --:--:-- --:--:-- 259k
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: |<1>| There was a non-CA
certificate in the trusted list: C=NO,ST=Intern,L=Debian Edu Network,O=Debian
Edu,OU=Debian Edu RootCA,CN=www.intern,[email protected].
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Processed 2 CA
certificate(s).
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Resolving
'tjener.intern:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Connecting to
'10.0.2.2:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate type: X.509
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Got a certificate list
of 1 certificates.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate[0] info:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - subject
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', serial
0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using
RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32
UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key ID:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
#011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
#011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key PIN:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
#011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Status: The
certificate is trusted.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Description:
(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Options:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Handshake was completed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Simple Client Mode:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Peer has closed the
GnuTLS connection
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched bundle certificate
from www.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched and verified LDAP SSL
certificate from tjener.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying LDAP SSL
certificate to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying TLS certificate
bundle to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public
key from the server.
(4) similar to (3) but with the bundle certificate made unavailable
(just to check if a failure is reported)
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public
key from the server...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Fetching LDAP SSL
certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian
Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress =
[email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: i:C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: subject=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: issuer=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: % Total % Received
% Xferd Average Speed Time Time Time Current
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
Dload Upload Total Spent Left Speed
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #015 0 0 0 0
0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 296 100
296 0 0 26909 0 --:--:-- --:--:-- --:--:-- 26909
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** Fatal error: Error
in the certificate.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Processed 0 CA
certificate(s).
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Resolving
'tjener.intern:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Connecting to
'10.0.2.2:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate type: X.509
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Got a certificate list
of 1 certificates.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate[0] info:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - subject
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', serial
0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using
RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32
UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key ID:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
#011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
#011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key PIN:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
#011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Status: The
certificate is NOT trusted. The certificate issuer is unknown.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** PKI verification of
server certificate failed...
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Control
process exited, code=exited, status=1/FAILURE
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Failed
with result 'exit-code'.
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Failed to start LSB: Fetch LDAP SSL
public key from the server.
If no one shouts I'll commit the script with a delay of two days...
Wolfgang
signature.asc
Description: PGP signature
